How plastics processors can defend against cyberattacks
By Bruce Geiselman and Karen Hanna
In the wake of highly publicized cyberattacks that shut down businesses, cyber experts say plastics companies need to batten down the hatches.
“Plastics processors, equipment manufacturers and others in plastics-related businesses should be concerned,” said Steve Mustard, an independent automation and cybersecurity consultant and president of the International Society of Automation. “I have not heard from any companies that are worried, but that is part of our general lack of awareness of the risk. Companies still believe they are not a target, or that, because they’ve never been attacked before, it will not happen in the future.”
View from the ground
At one molding shop, the IT department is taking note.
As a one-man IT and cybersecurity team for a small automotive-parts maker, Joshua Nye has heard the alarm.
“It’s probably the thing that keeps me awake for most of the night is the unknown of what could happen just by a simple mistake, and it could be email. … It’s something I worry about quite a bit,” said Nye, who, as customer service and information technology manager at Team 1 Plastics Inc., oversees the computer technologies of a 24/7 custom molding shop.
With just 55 employees, Team 1 Plastics is a relatively small player among automotive-parts suppliers. Any attack along the supply chain could hurt business, so the company stays vigilant, and hopes its vendors and customers do, too.
To protect the company, Nye is diligent about loading software updates as they come out. The company runs redundant systems and has identified and backed up its critical data, so it can get up and running in a hurry.
Nye responded to a Plastics Machinery & Manufacturing email with a phone call, just because he didn’t recognize the sender. It’s a cautious approach he’s trying to pass on to his colleagues — sometimes, he concedes, to the point of being annoying.
“The key for me a few years ago was explaining to people that, ‘Hey, when I’m helping you with these emails, this not only helps you with Team 1, but it helps you personally, right?’ ” Nye said. “If a person’s trying to grab your bank account information or lock up your Social Security account … if you can work with me, this will actually help you personally, which also means that you’re not missing work because you’re dealing with these issues, which is also good for Team 1.”
Recognizing the threat
According to cyber experts, the opening salvo in an attack can be something as seemingly benign as an email. Machines running software that has not been updated also are vulnerable.
“It seems like you can stop 90 percent of these issues by making sure all your stuff is up to date,” Nye said.
Cyber experts warn that plastics companies can’t afford to be lax.
A board member of the Mission Critical Global Alliance, a nonprofit organization that works toward advancement and protection of mission-critical operations, Mustard is president and CEO of au2mation (National Automation Inc.), which provides automation and cybersecurity consulting. He addressed recent cyberattacks — involving a beef processor and pipeline — in a blog post.
“In the first half of 2021 alone, we have seen cyberattacks on our water supply, our fuel supply, and now our food production,” he said “All three are critical infrastructure sectors defined by the U.S. Department of Homeland Security. The critical manufacturing sector, of which plastics industry organizations are part, is another one of the 16 sectors identified by DHS.”
While the DHS does not specifically identify plastics processing as part of the critical manufacturing sector, several of the industries identified, including transportation equipment, aerospace, appliances, electrical equipment and component manufacturers, rely heavily on plastic parts.
Eric Vanderburg, VP of cybersecurity for TCDI, a Greensboro, N.C., cybersecurity and forensic services company, agreed that plastics processors are at risk.
“I think [cyber criminals] are trying to target anything that’s going to have an impact on the public,” he said. “Here, you see the disruption of beef. They can do the same thing to the plastics [industry] or use that as part of a supply chain attack on some other industry.”
Plant operators, especially in critical industries, need to be better prepared, Mustard said.
“We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” Mustard said.
Risk vs. reward
While Team 1 Plastics takes pride in investing in the latest technologies, Nye said it pays to be cognizant of risks.
“The more people have entered the cloud, it’s hard to understand what data they have floating out there. And, if you lost your ability to reach it, and somebody else had that data, you’d be in a bad spot,” Nye said.
Increasingly, companies are integrating their internet technology (IT) and operational technology (OT) networks, which can lead to more efficient operations, but it also introduces new vulnerabilities, cyber experts said.
“The upside of digital transformation is that connectivity of OT environments to the IT environment and up to the cloud creates amazing opportunities for efficiency and competitive advantage,” said Grant Geyer, chief product officer at industrial cybersecurity company Claroty. “The soft underbelly of that is digital risk.”
At Team 1 Plastics, Nye hears the excitement of his colleagues when they discuss the gee-whiz capabilities of the newest Industry 4.0 technologies.
But instead of thinking about a technology’s benefits, he takes a safety-first view.
“I’ve had production managers or different people that come across things at different events or shows, and say, ‘Hey, we’d love to integrate this technology at the plant.’ And my first question is always, ‘What’s the security behind it?’ ” he said.
Camera-equipped robots, for example, might allow the company to operate with fewer people, or give employees the luxury of overseeing operations from anywhere. However, Nye said they’re easy to hack. He cautions that, with some technologies, security planning isn’t robust enough.
“Security always seems to come later on once they have an issue with it. And so, we heavily try to vet anybody coming to the company with anything industry 4.0 or cloud services to make sure that they’re already taking those steps to secure it.”
Advantages of linking IT with OT systems include smart factory solutions, predictive maintenance, just-in-time ordering systems and the ability to analyze inventory and efficiency of operations.
“The downside is that by connecting these environments together, you’re potentially opening Pandora’s box,” Geyer said.
In the event of an attack
If hackers gain access to a plant’s computer network, damages could range from stolen information to a shutdown of operations, Geyer said.
“If attackers get access to your plant, it really is dealer’s choice in terms of what they choose to do,” Geyer said. “It can be everything from stealing information that they can leak on the internet to locking up systems that they won’t unlock without a ransom being paid, to causing physical damage to equipment. In environments with chemicals, this involves employee safety. It really can have significant negative consequences to organizations.”
Companies must decide whether they would be willing to pay ransom, he said.
“There are many people in industry who have presented what I’ll call ivory tower approaches, saying that, ‘No, you should never pay the ransom because paying the ransom begets more ransomware,’ ” Geyer said. “Well, that certainly is unarguable, but it may be a bit idealistic. It’s idealistic to say, ‘If I ever get mugged, I’m not going to give up my wallet.’ But the reality is, when you’re staring down the barrel of a .44, you might feel a bit more forthcoming with your payment.”
Some criminal enterprises engaged in cyber ransom demands behave much like legitimate businesses.
“Some of these ransom gangs have a customer service desk; they have PR teams that try to give them the aura of pseudo legitimacy, but in reality, they are a bunch of cyber thugs,” Geyer said. “It’s not that the ransomware is happening from unknown and ungoverned locations. Many of these gangs are operating from Russia with explicit or implicit approval from the government.”
Geyer said he believes the U.S. has been “far too silent on the matter.”
“It’s like if you keep getting your lunch money taken away every day at the bus stop, and you just do nothing about it,” Geyer said. “You’re going to go hungry after a while. My perspective is that it has been far too long before the United States has drawn red lines about what is acceptable and unacceptable behavior to foreign countries and taken action. What we’re seeing now is the consequence of cyber gangs and nation-states acting with impunity against business and the U.S. national interests.”
Bruce Geiselman, senior staff reporter
Karen Hanna, senior staff reporter
Contact :
au2mation, Spring, Texas, 713-344-3317, https://au2mation.com
Claroty, New York, [email protected], www.claroty.com
International Society of Automation, Research Triangle Park, N.C., 919-549-8411, www.isa.org
TCDI, Greensboro, N.C., 888-823-2880, www.tcdi.com
Team 1 Plastics Inc., Albion, Mich., 517-629-2178, www.team1plastics.com
More information about how to thwart cyberthreats
• As companies embrace Industry 4.0 technologies, enabling remote monitoring and control of equipment, they also increase the risk of hackers gaining access to their computer systems. All processors need to take steps to prevent cyberattacks.
https://plasticsmachinerymanufacturing.com/21140776
• Changes in business practices due to the COVID-19 pandemic have opened the door for additional risks, with large numbers of employees working remotely and accessing companies’ computer networks from their homes.
https://plasticsmachinerymanufacturing.com/21140849
• Most companies today have an IT department for day-to-day technology needs, but when it comes to addressing digital threats, those IT professionals may need the specialized tools and services offered by cybersecurity companies.
Addressing the threat
Cybersecurity experts who spoke to Plastics Machinery & Manufacturing recommended the following:
Size up emails before opening or responding to them or following any links that they contain. Misspellings, or the use of a generic server, such as Gmail or Yahoo, rather than an official company email address, should raise red flags. Still unsure if the email is credible? Give the sender a call before sending a message.
Watch out for websites. The clues that give away bad emails pertain here, too: Misspellings and outdated design could signal problems. Before clicking a link, hover over the URL to see what address actually comes up. If it’s not what’s expected, avoid it. Rather than following links to a website, find the official website from a search engine.
Run exercises to ensure that the company’s incident-response plan will work when required. Use test emails to train employees to recognize potential perils.
Keep software up to date. Install patches as they come.
Segment IT (internet technology or corporate network) systems from OT (operational technology) systems and filter the traffic coming into and out of computer networks. “If they segregate their systems properly, they can restrict an attack to one area, and still allow some downgraded operations to continue,” said Steve Mustard, the president and CEO of National Automation Inc., which provides automation and cybersecurity consulting.
Back up all data.
Don’t rely only on Microsoft. Look to other supplies for additional layers of security. Using a back-up operating solution that’s not Microsoft could allow you to more quickly resume operations, should you experience a hack. “You can mix and match a little bit, which I think gives us a little bit of an advantage,” said Joshu Nye, customer service and information technology manager at Team 1 Plastics Inc.
Don’t use USB devices or other drives from unknown or untrustworthy sources into network-linked computers,
Evaluate the security of Industry 4.0 technologies, not just their benefits.
Consider how to respond to a ransomware attack. Questions to weigh include how long production would be down, the ramifications if the company can’t pay its bills and the amount it would cost to recover from a ransomware attack. “If organizations can’t answer these questions, they need to take action immediately from a people, process and technology perspective,” Mustard said.
Bruce Geiselman | Senior Staff Reporter
Senior Staff Reporter Bruce Geiselman covers extrusion, blow molding, additive manufacturing, automation and end markets including automotive and packaging. He also writes features, including In Other Words and Problem Solved, for Plastics Machinery & Manufacturing, Plastics Recycling and The Journal of Blow Molding. He has extensive experience in daily and magazine journalism.
Karen Hanna | Senior Staff Reporter
Senior Staff Reporter Karen Hanna covers injection molding, molds and tooling, processors, workforce and other topics, and writes features including In Other Words and Problem Solved for Plastics Machinery & Manufacturing, Plastics Recycling and The Journal of Blow Molding. She has more than 15 years of experience in daily and magazine journalism.